"With the information we have, we can say that this guy is behind the active development of the Xplug RAT and he probably has some inside on the operations since this path."

AlienVault also found web references, including referenced Wikipedia entries mentioning a 'WHG', as being connected to a string of important Chinese hacker attacks stretching back some years, . A source named the sponsor of the WHG's company as being the PLA.

The connection of WHG's company to the PLA is built on circumstantial evidence but the coincidences are still unsettling.

The PlugX RAT, meanwhile, has been used in attacks in Asia but , exploiting Java vulnerabilities and digital certificates that let it masquerade as legitimate driver files.

Trend Micro reckons that that has been around since early 2008 and probably takes in remote access Trojans including this year's Poison Ivy.